U-M's chief information security officer talks about cybersecurity

+ more information

Data breaches and cyberattacks seem like a permanent part of the news cycle. They have even become presidential debate fodder. How do we separate the hype from reality? One way is to attend the annual Security at University of Michigan IT (SUMIT) conference Thursday. Speakers and panelists will raise awareness and educate the community about topical cybersecurity and privacy issues.

October is National Cyber Security Awareness Month. In this interview, Don Welch, U-M's chief information security officer, talks about raising the bar on protecting the institution's data and information systems, and why it's more critical now than ever.

Q: What cybersecurity threats are institutions like U-M facing?

Welch: Higher education has the highest number of IT security breaches among most industry sectors. Since 2005, there have been more than 500 breaches involving upwards of 13 million records. In 2014, more than 40 universities and colleges were cyberattack victims. U-M has been targeted, but fortunately the attacks were not significant. Institutions like Michigan are attractive to nation-state actors and cybercriminals because of the personal information collected about faculty, staff, alumni, patients, students and their parents. Add to this ground-breaking research, intellectual property and numerous services that can be accessed through online and collaborative environments using computers and mobile devices, and there is a treasure-trove of information with considerable value.

Q: What are the implications of a successful cyberattack?

Welch: A cyberattack can be costly. Depending on the severity, costs can skyrocket into the millions of dollars. In addition, damage to institutional and individual reputations, and regulatory scrutiny or investigations can put research grants at risk.

Q: What is the university doing to prevent such attacks?

Welch: We are in the midst of revising the U-M Information Security Policy to more specifically describe how data should be secured, and improving the institution's data classification scheme. In addition, we are building out central security functions in the U-M Health System and integrating them into one information assurance program. Finally, we're investing in more sophisticated tools and technology to better detect and contain potential attackers.

Q: What are the challenges of revising the security program?

Welch: At U-M where openness and collaboration are essential, campus community members need to share in the responsibility for IT safety. What one individual does or doesn't do can impact a department, unit or the entire institution. While having a single policy that everyone follows may pose challenges, the opportunity is that if we do it well, there is a decreased likelihood that institutional data can be breached or stolen.

Q: What is the university doing to make it easier for everyone to do their part?

Welch: The revised Information Security Policy is clearer. Schools, colleges, units and clinics will have specific security standards, making it clear to IT staff what they need to implement, and making faculty and staff comfortable they are in compliance. We are also increasing education, awareness and training. One easy step we all can take is to turn on two-factor authentication for Weblogin to protect personal information in Wolverine Access, U-M Google Mail and Drive, U-M Box and more.

Q: How has the chief information security officer position changed since you have been at the university?

Welch: When I arrived in spring 2015, it was the first time U-M had a chief information security officer with operational responsibility for all campuses and the health system. The executive officers recognized that major parts of the institution are interconnected. The university has an interdisciplinary nature and having individual units addressing cybersecurity issues independently poses institutional risk. Raising the position's profile to one that works holistically across the university makes for more consistent security and decreases risk.